Microsoft Visual Basic for Applications (VBA) does not adequately validate document properties

Overview

Microsoft Visual Basic for Applications (VBA) contains a buffer overflow when validating document properties. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the user running VBA.

Description

From Microsoft Security Bulletin MS03-037:

Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications based around an existing host application.
A VBA subsystem, the Visual Basic Design Time Environment (VBE), does not adequately validate certain data passed to it from documents that contain VBA code:

A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. When a document is opened by an application that supports Microsoft VBA, the host application carries out a check to determine whether Microsoft VBA is required by the document and should therefore be loaded. During this initial check some document properties are passed to Microsoft VBA - a flaw exists because Microsoft VBA does not correctly validate the data that is passed to it during this initial phase.
VBE is implemented in vbe.dll (VBA 5.0) or vbe6.dll (VBA 6.x).

An attacker could exploit this vulnerability by convincing a victim to open a document that contained specially crafted VBA code. If Word is configured as the email editor for Outlook, an exploit could be delivered via an email message. In this case, the victim would have to reply to or forward the message in order to trigger the exploit. Also, since certain types of Office files are automatically opened by Internet Explorer (IE), an attacker could convince the victim to load a crafted document from a web site.

VBA is included in a number of Microsoft products including Office (Word, Excel, PowerPoint, Access), Publisher, Project, Visio, Works Suite, and Business Solutions (Great Plains, Dynamics, eEnterprise, Solomon). In addition, non-Microsoft products that use VBA may be affected. Per MS03-037:

Microsoft has worked with 3rd parties who develop applications using Microsoft VBA to make sure they are aware of this security vulnerability and that they have the necessary updates to Microsoft VBA to incorporate in their products. You should contact your software vendor to obtain updates for any non-Microsoft applications that use Microsoft VBA.
This vulnerability is described in Microsoft Security Bulletin MS03-037 and eEye Digital Security advisory AD20030903-2.

---

Impact

By convincing a victim to open a specially crafted document, an attacker could execute arbitrary code with the privileges of the victim.

---

Solution

Apply patch

Apply the appropriate patch referenced in Microsoft Security Bulletin MS03-037.

---

Vendor Information

804780

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: September 12, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS03-037.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23804780 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.eeye.com/html/Research/Advisories/AD20030903-2.html&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS03-037.asp&gt;
• <http://www.microsoft.com/security/security_bulletins/ms03-037.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;822715&gt;
• <http://www.secunia.com/advisories/9666/&gt;

Acknowledgements

Microsoft credits eEye Digital Security with discovering and reporting this vulnerability. Information used in this document came from Microsoft and eEye Digital Security.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0347
Severity Metric:	16.83 Date Public: